diff options
| -rw-r--r-- | src/catlfish.erl | 23 | ||||
| -rwxr-xr-x | tools/merge.py | 2 | ||||
| -rw-r--r-- | tools/mergetools.py | 43 | ||||
| -rwxr-xr-x | verifycert.erl | 2 |
4 files changed, 44 insertions, 26 deletions
diff --git a/src/catlfish.erl b/src/catlfish.erl index d940147..68e96ea 100644 --- a/src/catlfish.erl +++ b/src/catlfish.erl @@ -293,27 +293,26 @@ entryhash_from_entry(PackedEntry) -> %% Private functions. -spec pack_entry(normal|precert, binary(), binary(), [binary()]) -> binary(). pack_entry(Type, MTLText, EndEntityCert, CertChain) -> - list_to_binary( - [tlv:encode(<<"MTL1">>, MTLText), - tlv:encode(case Type of - normal -> <<"EEC1">>; - precert -> <<"PRC1">> - end, EndEntityCert), - tlv:encode(<<"CHN1">>, - list_to_binary( - [tlv:encode(<<"X509">>, E) || E <- CertChain]))]). + [{<<"MTL1">>, MTLText}, + {case Type of + normal -> <<"EEC1">>; + precert -> <<"PRC1">> + end, EndEntityCert}, + {<<"CHN1">>, + list_to_binary( + [tlv:encode(<<"X509">>, E) || E <- CertChain])}]. -spec unpack_entry(binary()) -> {normal|precert, binary(), binary(), [binary()]}. unpack_entry(Entry) -> - {<<"MTL1">>, MTLText, Rest1} = tlv:decode(Entry), - {EECType, EndEntityCert, Rest2} = tlv:decode(Rest1), + [{<<"MTL1">>, MTLText}|Rest1] = Entry, + [{EECType, EndEntityCert}|Rest2] = Rest1, Type = case EECType of <<"EEC1">> -> normal; <<"PRC1">> -> precert end, - {<<"CHN1">>, PackedChain, _Rest3} = tlv:decode(Rest2), % Ignore rest. + [{<<"CHN1">>, PackedChain}|_Rest3] = Rest2, Chain = unpack_certchain(PackedChain), {Type, MTLText, EndEntityCert, Chain}. diff --git a/tools/merge.py b/tools/merge.py index 7453fa4..f02ce39 100755 --- a/tools/merge.py +++ b/tools/merge.py @@ -22,7 +22,7 @@ from certtools import build_merkle_tree, create_sth_signature, \ check_sth_signature, get_eckey_from_file, timing_point, http_request, \ get_public_key_from_file, get_leaf_hash, decode_certificate_chain, \ create_ssl_context -from mergetools import parselogrow, get_logorder, read_chain, unpack_entry, \ +from mergetools import parselogrow, get_logorder, read_chain, \ verify_entry parser = argparse.ArgumentParser(description="") diff --git a/tools/mergetools.py b/tools/mergetools.py index 9f5feee..c3e9688 100644 --- a/tools/mergetools.py +++ b/tools/mergetools.py @@ -1,6 +1,7 @@ # Copyright (c) 2015, NORDUnet A/S. # See LICENSE for licensing information. import base64 +import hashlib import sys import struct from certtools import get_leaf_hash @@ -27,21 +28,39 @@ def read_chain(chainsdir, key): f.close() return value -def unpack_entry(entry): - pieces = [] - while len(entry): - (length,) = struct.unpack(">I", entry[0:4]) - type = entry[4:8] - data = entry[8:length] - entry = entry[length:] - pieces.append(data) - return pieces +def tlv_decode(data): + (length,) = struct.unpack(">I", data[0:4]) + type = data[4:8] + value = data[8:length] + rest = data[length:] + return (type, value, rest) + +def tlv_decodelist(data): + l = [] + while len(data): + (type, value, rest) = tlv_decode(data) + l.append((type, value)) + data = rest + return l + +def unwrap_entry(entry): + ploplevel = tlv_decodelist(entry) + assert(len(ploplevel) == 2) + (ploptype, plopdata) = ploplevel[0] + (plopchecksumtype, plopchecksum) = ploplevel[1] + assert(ploptype == "PLOP") + assert(plopchecksumtype == "S256") + computedchecksum = hashlib.sha256(plopdata).digest() + assert(computedchecksum == plopchecksum) + return plopdata def verify_entry(verifycert, entry, hash): - unpacked = unpack_entry(entry) - mtl = unpacked[0] + packed = unwrap_entry(entry) + unpacked = tlv_decodelist(packed) + (mtltype, mtl) = unpacked[0] assert hash == get_leaf_hash(mtl) - s = struct.pack(">I", len(entry)) + entry + assert mtltype == "MTL1" + s = struct.pack(">I", len(packed)) + packed try: verifycert.stdin.write(s) except IOError, e: diff --git a/verifycert.erl b/verifycert.erl index 5ff77c3..0db0051 100755 --- a/verifycert.erl +++ b/verifycert.erl @@ -8,7 +8,7 @@ write_reply(Bin) -> verify(RootCerts, DBEntry) -> try - case catlfish:verify_entry(DBEntry, RootCerts) of + case catlfish:verify_entry(tlv:decodelist(DBEntry), RootCerts) of {ok, _MTLHash} -> write_reply(<<0:8>>); {error, Reason} -> |